WannaCry shows we need to understand why organizations don't patch

Posted by   Martijn Grooten on   May 17, 2017

For the past few days, the world of Infosec on Twitter has tried to find as many ways as possible of saying "we told you so".

To be fair, it's true – we did tell you so: for years we have warned of the dangers of not patching, of not keeping backups, and of running services one doesn't really need. Infosec does indeed have a pretty good track record of predicting the most serious cyber attacks. Unfortunately, it achieves this by constantly predicting doom, so that eventually it ends up being right.

Remember, for example, the 2015 vulnerability found in the Stagefright Android library? "In the worst case scenario, the exploit could be turned into a worm of a size not seen for a very long time," I wrote in a blog post, echoing what everyone else was saying around that time. Yet, despite the still deplorable state of Android patching, we have yet to see such a worm. In fact, I am not aware of any use of the Stagefright vulnerability in the wild. Stagefright isn't an exception: most vulnerabilities, even many of those that sound really bad, are rarely, if ever, exploited in the wild.

stagefrightflaw.jpg


So maybe the question we should be asking about WannaCry is not "why do so many organisations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?".

Indeed, not patching may well be the most effective short-term strategy. With a few exceptions, such as browser plug-ins and open-source CMSs, exploitation of vulnerabilities right after they have been patched is rare. It may actually be more common to encounter problems arising from patches that go wrong.

Of course, patching is the sensible long-term approach, even if one can spend years running out-of-date systems before something as bad as WannaCry hits. A dedicated security team can help make patching a mostly painless procedure. Such teams aren't cheap though, and this, together with the price of some more advanced security products, may be the real issue: many organizations simply don't have the money we believe they should be spending on security. Repeatedly labouring the point that they should spend the money anyway may not always be the most effective approach.

When I was putting together the programme for VB2017, I wanted to include a number of talks by people who could provide a view from organizations that don't have lots of cash to throw at the security problem; I am pleased that the programme, which went live earlier this month, does indeed include several such talks.

vb2017-montage-sm.jpg


Most relevant to WannaCry is the talk by Jelena Milosevic, who works as a hospital nurse and has a passion for security; she is thus very well qualified to provide a behind-the-scenes view of healthcare security. But I am just as much looking forward to hearing Claus Cramon Houmann, who will talk about his time as a CISO for a small bank, and will share how to achieve 'minimum viable security' on a small budget.

Claus-Houmann-web.jpgClaus Cramon Houmann will talk about his time as a CISO for a small bank.


I am also looking forward to the presentation by Tyrus Kamau (Euclid Consultancy), who will talk about the state of cybersecurity in Kenya. It will be interesting to see how different, or maybe how similar, the threat landscape is in a country that has less money to spend in general, and thus less on security in particular. Maybe tighter budgets have made people more inventive and not necessarily less secure.

Another group that doesn't have a lot of money is 'civil society': NGOs, human rights activists, journalists, and so on. Many of them are volunteers or work for little money; they certainly don't have the funds to get a well-paid CISO or to spend on fancy and probably very effective security tools. Claudio Guarnieri, currently working for Amnesty International, but also one of the people behind the open-source Cuckoo Sandbox, will talk about the threats these people and organizations are facing.

If you're reading this, you probably work in security. It is your job to tell others how to make their systems more secure – and please continue to do so! But don't forget also to listen to those fighting security in the real world, and to make an effort to understand the constraints they operate under.

VB2017 will take 4-6 October in Madrid, Spain. Registration is now open - register before 30 June 2017 to qualify for the early bird rate!

VB2017-325w.jpg

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2017 call for last-minute papers opened

Today, we open the call for last-minute papers for VB2017. Submit before 3 September to have your abstract considered for one of the ten slots reserved for 'hot' research.

Five reasons to come to VB2017 in Madrid

We're not ones to make bold claims about our conference, and we suggest you ask past attendees for their opinion, but here are five reasons why we think you should come to VB2017 in Madrid.

DMARC: an imperfect solution that can make a big difference

US Senator Ron Wyden has asked the Department of Homeland Security to implement DMARC. Martijn Grooten looks at what difference this could make for phishing attacks impersonating the US federal governent.

Advanced and inept persistent threats to be discussed at VB2017

Unsurprisingly given today's threat landscape, the VB2017 programme contains several talks on various advanced persistent threats - but also a talk on what may be the polar opposite of such threats: an inept persistent threat.

Password security is 1% choosing a half-decent password, 99% not using it anywhere else

Password security advice focuses too much on password strength and too little on avoiding password reuse, Martijn Grooten argues.